Italy

WELCOME

OWASP Italy

Welcome to the Italy chapter homepage. The chapter leader is Matteo Meucci

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

OWASP-Italy@Security Summit 2019

Thanks to CLUSIT, Giuseppe Trotta and Lorenzo De Meo had a talk at the OWASP-Italy corner during the Security Summit in Milan
When: 14th March 2019 at 16:10-16:50
Where: UNAHOTELS EXPO FIERA, via Keplero 12, Pero
Please see the presentations here:Federico De Meo: "Cloud Security Testing"

OWASP-Isaca Conference @ Venice 6th October 2017

OWASP Italy @ Security Summit 2017

OWASP Italy will participate to the Security Summit 2017 in Milan with 2 talks.
Antonio Parata will give a talk on EyePyramid malware and Fabrizio Bugli will talk about (3rd) Party like nobody's watching

OWASP Italy @ Security Summit 2016

Adopt OSS. First Edition

OWASP Italy is pleased to announce a new initiative: AdoptOpenSourceSoftware

Given OWASP’s mission to help organizations with application security, we have established a new initiative to provide free, voluntary-based support to open source software projects.

Thanks to Adopt OSS, security enthusiasts are paired with participating open source projects, thus gaining exposure to real-life security engineering challenges and the opportunity for career growth. In turn, the participating projects are able to obtain free professional expertise to better improve their security posture, and ultimately build secure software. Over a six months period, OWASP Italy will facilitate the effort by coordinating the initiative and providing support when needed.

The first edition of this initiative will take place between May and November 2015, and will see the participation of 7 OWASP Italy members and 3 major OpenSource projects. At the end of the six months period, OWASP Italy will publish results and feedback from both volunteers and OSS maintainers.

Ntopng

Alessio Petracca, Mattia Folador, Giuseppe Longo

Ntop is the de-facto standard for real-time network traffic monitoring. OWASP Italy wants to help the project by increasing the security level of ntopng, performing security testing activities and supporting the remediation process.

Secondly, source code review of ntopng main components (such as the C++ core engine) will be statically reviewed. The objective is to address all relevant checks contained within the OWASP Code Review Guide

In case the activities above are completed before the end of the six-months period, additional activities (such as the development of security plugins) will be discussed.
Luca Deri and Arianna Avanzini will support Alessio Petracca and Mattia Folador in these activities, by providing guidance and insights.

WordPress

Paolo Perego, Sandro Zaccarini

WordPress is the facto standard for web publishing. If you need a blog, if you need a new showcase website for your portfolio or a tiny e-commerce web site for your small company you will look at WordPress to start.

Paying the cost to be the boss, WordPress during the years suffered tons of security issues, 3 major issues only in the beginning of May 2015. Either the core, plugins and themes are developed with easy to use in mind and they need to be hardened.

OWASP Italy wants to support WordPress adopting it with the "Stand by WordPress" initiative. We will deploy the software in three different standard configurations: blog, company's portfolio and e-commerce.

We will do continuous appsec during development of 4.3 version in order to quickly spot security issues before the August release. In addition, we will take care of hardening guidelines and both plugins and themes subsystems in order to improve the overall architecture.

GlobaLeaks

GlobaLeaks is the first open-source whistleblowing framework. It empowers anyone to easily set up and maintain an anonymous whistleblowing platform.

Considering the potential hostile environments in which the application may be hosted, security vulnerabilities and abuses are primary concerns for GlobaLeaks’ maintainers.

We want to help the team in their excellent application security practices, by performing vulnerability research activities in order to discover unknown bugs within the boundaries of their specific threat model. In particular, we will be focusing on two main software components (GLBackend and GLClient) and new security-relevant changes (upcoming authentication re-factoring and end-to-end encryption).

OWASP EU Tour 2013 - 27th June - Rome

Thanks to the collaboration with Università Degli Studi Roma Tre, next 27th June we will have the OWASP EU Tour Rome Conference.
OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

Activities

(May 10): OWASP Training at London: last 28th May in London, OWASP leaders deliver a course focused on the main OWASP Projects. This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.

(21 Jun 06) Infosecurity 2006: the event is organized and managed by the CLUSIT.

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". More info here

(1 Jun 06) "Quaderno CLUSIT"

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but will be made public in about 3 months.

Thanks to Jim Weiler, Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting. More info here

(18 Nov 05) IDC - European Banking Forum

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we will have a great speech at the IDC European IT Banking Forum 2005. Agenda: - New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair - Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy

(Apr 05) We have written an article describing the OWASP projects, Web Application Security and the next challenges. ICT Security.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

The presentation of the seminar we have done in ISACA Rome (31th March 2005) is now available here.

(Apr 05) We have published a presentation describing a detailed case study of a web application vulnerabilty (MMS Spoofing).

(Mar 05) Thanks to Matteo Paolelli we have translated the "OWASP Top Ten Vulnerabilties in Web Application Security" in italian language. You can download it here.

January 25th, 2007 - Isaca Rome

October 7th, 2006 - SMAU 2006

- "The quest for secure code: code review and fundamental of secure coding." Matteo Meucci will present an introduction to the new OWASP Projects and OWASP-Italy activities. Paolo Perego (sp0nge) will speak about safe coding and the importance of code periodic review as natural software life cycle. Paolo will give a vision on code review and its phases http://www.webb.it/event/eventview/5772

- "Advanced SQL Injection." Antonio Parata (S4tan) will explain SQL Injection, and how SQL Inference works on PHP/MySql platform. He will present an open source tool to support the testing. Alberto Revelli (icesurfer) will focus on Microsoft SQL Server: he will perform a live demo of sqlninja (http://sqlninja.sf.net), explaining how to obtain a pseudo-shell over SQL, how to escalate privileges, and how to play with the exotic equation: "SQL Injection + debug.exe + DNS = DOS prompt" ! http://www.webb.it/event/eventview/5774

September 29th, 2006 - OpenExp 2006

Abstract: Antonio will introduce some basic concepts about software security. It will be shown how SQL Inference works on PHP/MySql platform and presented an open source tool to support the testing. Finally will be listed some advises to avoid common bugs. http://www.openexp.it/

OWASP-Italy will have a stand from September 29th to October 1st.

June 21th, 2006 - InfoSecurity 2006

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". The event is organized and managed by the CLUSIT.

Aug, 2006 - Article on Banca Finanza magazine

Banca Finanza, the italian magazine about finance and banking, has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security Media:042006BF.pdf

June, 2006 - Quaderno CLUSIT

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but it will be public in about 3 months.

April, 2005 - Published an article on ICT Security magazine

We have written an article describing the OWASP projects, Web Application Security and the next challenges. ICT Security.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

March, 2005 - OWASP Top-10 in Italian

Thanks to Matteo Paolelli we have translated the "OWASP Top Ten Vulnerabilties in Web Application Security" in italian language. You can download it here.

Tools & Research

Nov, 2007 - sqlmap v0.5

Bernardo Damele and Daniele Bellucci have released the fifth versions of the tool sqlmap. sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.